Data protection policy for fusion financial technology limited

Last Updated: 27 June, 2024

1. Introduction

Fusion Financial Technology Limited (“the Company” or “Fusion”) is a financial technology company with the objective of providing innovative business, financial and social solutions to individuals and companies through the use of technology by partnering with licensed financial institutions for the enhancement of such services to targeted customers. In light of the emerging data regulatory environment which requires higher transparency and accountability in how companies manage and use personal data, the Company must ensure that its business operations align with global best practices on protection of rights and privacy of individuals.

2. Policy

The Data Protection Policy (“the Policy”) is a formal acknowledgment that the Company is committed to the protection of rights and privacy of individuals, in accordance with the Nigeria Data Protection Act, 2023 (“the Act”).

3. Description

The Policy describes how the Company shall collect, handle and store personal data of individuals to meet the data protection standards.

4. Definitions

  • Consentmeans any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
  • Datameans characters, symbols and binary on which operations are performed by a computer which may be stored or transmitted in the form of electronic signals stored in any format or any device.
  • Databasemeans a collection of data organized in a manner that allows access, retrieval, deletion, and procession of that data; it includes but is not limited to structured, unstructured, cached and file system type databases.
  • Data Processormeans a person or organization that processes data on behalf of or at the direction of a Data Controller or another data processor.
  • Data Controllermeans a person who either alone, jointly with other persons or in common with other persons or as a statutory body, determines the purposes for and the manner in which Personal Data is processed or is to be processed.
  • Data Portabilitymeans the ability for Data to be transferred easily from one IT system or computer to another through a safe and secure means in a standard format.
  • NDPCmeans Nigeria Data Protection Commission.
  • Data Protection Compliance Organisation (DPCO)means any entity duly licensed by NDPC for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Act or any foreign Data Protection law or regulation having effect in Nigeria.
  • Data Subjectmeans an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
  • Personal Datameans any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others
  • Processingmeans any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Personal Data Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

5. Purpose

The purpose of this Policy is to:

  • Protect the Company from the risks of a data breach.
  • Disclose how the Company stores and processes individuals’ Data.
  • Protect the rights of staff, members and stakeholders.
  • Comply with the Act and follow international best practices.

6. Nigeria Data Protection Act

The Act, which came into force on June 12th, 2023, regulates the gathering, storing and processing of Personal Data (regardless of whether Data is stored electronically, on paper or on other materials), and protects the rights and privacy of all living individuals (including children). The Act applies to natural persons residing in Nigeria or residing outside Nigeria but of Nigerian descent.

7. Government Principles of Data Protection

The Act mandates every Data Controller to process any Personal Data in accordance with the governing principles of data protection. In order to comply with the obligations, Fusion undertakes to adhere to the following principles:

a. Data Processing

The following statement shall guide compliance with the Act on Data Processing. Fusion shall:

  • Collect and process Personal Data in accordance with specific, legitimate and lawful purpose consented to by the Data Subject.
  • Take reasonable steps to ensure that any Personal Data is accurate.
  • Store Personal Data about an individual that is sufficient for the purpose it is holding it for in relation to that individual.
  • Store individuals’ Personal Data only for the period within which it is reasonably needed.
  • Secure Personal Data against all foreseeable hazards, breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
  • Exercise duty of care of Personal Data in its possessionts.
  • Be accountable for its acts and omissions in respect of Data Processing and in accordance with the Act

b. Lawful Processing

The Company shall process Personal Data of individuals if at least one (1) of the following applies:

  • The Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the Data Subjectisapartyorin ordertotakestepsattherequestoftheDataSubject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which Fusion is subject.
  • Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in Fusion.

c. Procuring Consent

To fulfill the requirement of the Act, Personal Data will be processed in accordance with the rights of the Data Subject. The Company's business operations will be guided by the following statements:

  • The Company shall not obtain Personal Data except the specific purpose of collection is made to the Data Subject.
  • The Company shall ensure that Consent of the Data Subject has been obtained without fraud, coercion or undue influence.
  • The Company shall ensure that the Data Subject has consented to processing of his or her personal data and the legal capacity to give consent, where processing is based on consent.
  • The Company shall request for consent in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language, where the Data Subject's Consent is given in the context of a written declaration.
  • The Company shall inform the Data Subject his/her right and the ease to withdraw his/her Consent at any time.
  • When the Company is assessing whether Consent is freely given, it shall take utmost account of whether the performance of a contract, including the provision of a service, is conditional on Consent to the processing of Personal Data that is not necessary or excessive for the performance of the contract.
  • The Company shall request for Consent of the Data Subject where Data may be transferred to a third party for any reason

d. Due Diligence and Prohibition of Improper Motives

To align with these requirements, the Company shall:

  • Not seek consent that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts, and anti-social conducts.
  • Take reasonable measures to ensure that a party to any data processing contract does not have a record of violating the Act and such party is accountable to NDPC or a reputable regulatory authority for data protection within or outside Nigeria.

e. Data Security

The Company recognises the importance of protecting Data from unauthorized access and data corruption and the Company shall:

  • Develop security measures including but not limited to protecting systems from hackers.
  • Set up firewalls and protect email systems.
  • Store data securely with access to specific authorized individuals.
  • Employ Data encryption technologies.
  • Develop organizational policy for handling personal data and other sensitive or confidential Data.
  • Continuously build capacity for all staff

f. Third Party Data Processing Contracts

To ensure compliance with the Act, being a Data Controller, the Company shall:

  • Ensure that a written contract is signed by a third party that will process Personal Data of individuals.
  • Ensure that such a third party that will process the data obtained from Data Subjects complies with the Act.

g. Objections by the Data Subject

The Company acknowledges that individuals have the right to object to the processing of their Personal Data, as such the Company shall only process Personal Data in accordance with Data Subjects' rights as listed below:

  • Option to object the processing of Personal Data relating to the Data Subject which Fusion intends to process for the purposes of marketing.
  • Option to be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.

h. Objections by the Data Subject

The Company shall comply with the Act and any transfer of Personal Data which is undergoing processing or is intended for processing after transfer to a foreign country or an international organization shall take place subject to the provisions of the Act.

i. Exceptions in Respect of Transfer to a Foreign Country

In the absence of any decision made by NDPC or the Honourable Attorney General of the Federation (HAGF) on the transfer of Personal Data to a foreign country, Fusion shall initiate the transfer or set of transfers of Personal Data to such foreign country or an international organization only when:

  • The Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate safeguards and that there are no alternatives.
  • The transfer is necessary for the performance of a contract between the Data Subject and Fusion or the implementation of precontractual measures taken at the Data Subject's request.
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between Fusion and another natural or legal person.
  • The transfer is necessary for important reasons of public interest.
  • The transfer is necessary for the establishment, exercise or defense of legal claims.
  • The transfer is necessary in order to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent.

Fusion, in compliance with the Act, shall explicitly communicate through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of a transfer to a third country.

8. Rights of Data Subject

To comply with this section under the Act, Fusion shall:

  • Take appropriate measures to provide any information relating to processing, to the Data Subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
  • Provide such information in writing, or by other means, including, where appropriate, by electronic means.
  • Provide any information relating to processing of data obtained from the Data Subject orally, at the request of the Data Subject, provided that the identity of the Data Subject is proven by other means.
  • Inform the Data Subject without delay and at least within one (1) month of receipt of a request relating to the processing of his/her data, the reasons for not providing the information and the possibility of lodging a complaint with the supervisory authority.
  • Provide information, any form of communication or any actions taken to a Data Subject free of charge.
  • Charge Data Subject if request for his/her data is manifestly unfounded or excessive, in particular because of his/her repetitive character. The charge shall be a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.
  • Write a letter to the Data Subject stating “refusal act” on the request and copy NDPC on every occasion through a dedicated channel which shall be provided for such purpose, provided that such request is excessive.
  • Bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
  • Request for provision of additional information necessary to confirm the identity of the Data Subject where the Company has reasonable doubts concerning the identity of the requestor.
  • Provide the information in combination with standardized icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing and machine-readable format when presented electronically.
  • Provide the Data Subject with all of the following information, prior to collecting Personal Data:
    • The identity and the contact details of Fusion
    • The contact details of the Data Protection Officer
    • The purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing.
    • The legitimate interests pursued by Fusion or by a third party.
    • The recipients or categories of recipients of the Personal Data, if any.
    • Where applicable, the fact that Fusion intends to transfer Personal Data to a third country or international organization and the existence or absence of an adequacy decision by NDPC.
    • The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period.
    • The existence of the right to request from Fusion, access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to processing as well as the right to Data Portability.
    • The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on Consent before its withdrawal.
    • The right to lodge a complaint with a relevant authority.
    • Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data.
    • The existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
    • Where Fusion intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, it shall provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information.
    • Where applicable, that the Company intends to transfer Personal Data to a recipient in a foreign country or international organization and the existence or absence of an adequacy decision by the Company.
  • Inform the Data Subject the appropriate safeguards for data protection in the foreign country.
  • Rectify, without undue delay, inaccurate Personal Data concerning Data Subjects per their requests.
  • Acknowledge the right of Data Subjects to have their incomplete data completed, including by means of providing a supplementary statement.
  • Delete Personal Data without delay, upon request of the Data Subject.
  • Delete Personal Data where one of the following grounds applies:
    • The Personal Data are no longer necessary in relation to the purposes for which they were collected or processed.
    • The Data Subject withdraws Consent on which the processing is based.
    • The Data Subject objects to the processing and there are no overriding legitimate grounds for the processing.
    • The Personal Data has been unlawfully processed.
    • The Personal Data has to be erased for compliance with a legal obligation in Nigeria.
  • Take all reasonable steps to delete all the Personal Data made public and inform other companies processing the Personal Data of the Data Subject request.
  • Acknowledge Data Subjects' rights to obtain restriction of processing their Personal Data where one of the following applies:
    • The accuracy of the Personal Data is contested by the Data Subject for a period enabling Fusion to verify the accuracy of the Personal Data.
    • The processing is unlawful, and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.
    • Fusion no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims.
    • The Data Subject has objected to processing pending the verification to confirm whether the legitimate grounds of Fusion override those of the Data Subject.
  • Process Personal Data with the Data Subject consent, where processing has been restricted.
  • Communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data has been disclosed, unless this proves impossible or involves disproportionate effort.
  • Provide Personal Data concerning Data Subjects, in a structured manner, commonly used and machine-readable format to such Data Subjects.
  • Not hinder the Data Subject from transmitting those data in its database to another company where the processing is based on consent, on a contract and processing is carried out by automated means.
  • Execute Data Subjects’ requests on transmission of their Personal Data to another company, where technically feasible.

9. Scope

This Policy applies to all staff, Management and Board of Fusion and as a matter of best practice, to other companies (contractors, suppliers etc.), individuals working with Fusion and its stakeholders who have access to personal information. It is also applicable to all data that Fusion holds relating to identifiable individuals, even if that information technically falls outside of the Act. This includes, but is not limited to:

  • Names of individuals
  • Contact phone numbers.
  • Any other information relating to the individuals.

10. Reference

The Nigeria Data Protection Act, 2023.

The Nigeria Data Protection Regulation, 2019.

  • Names of individuals
  • Contact phone numbers.
  • Any other information relating to the individuals.